Configuring the Switch for Secure Socket Layer HTTP
The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated
port (the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1
server processes requests and passes responses (pages) back to the HTTP secure server, which, in turn,
responds to the original request.
The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application
requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and
pass the response back to the application.
Certificate Authority Trustpoints
Certificate authorities (CAs) manage certificate requests and issue certificates to participating network
devices. These services provide centralized security key and certificate management for the participating
devices. Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the HTTPS server provides a secure connection by issuing a
certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually
a Web browser), in turn, has a public key that allows it to authenticate the certificate.
For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA
trustpoint is not configured for the device running the HTTPS server, the server certifies itself and
generates the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide
adequate security, the connecting client generates a notification that the certificate is self-certified, and
the user has the opportunity to accept or reject the connection. This option is useful for internal network
topologies (such as testing).
If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary
or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.
•
•
The certificate authorities and trustpoints must be configured on each device individually. Copying them
Note
from other devices makes them invalid on the switch.
If a self-signed certificate has been generated, this information is included in the output of the show
running-config privileged EXEC command. This is a partial sample output from that command
displaying a self-signed certificate.
Switch# show running-config
Building configuration...
<output truncated>
crypto pki trustpoint TP-self-signed-3080755072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3080755072
revocation-check none
rsakeypair TP-self-signed-3080755072
!
!
crypto ca certificate chain TP-self-signed-3080755072
certificate self-signed 01
Cisco IE 3000 Switch Software Configuration Guide
9-38
If the switch is not configured with a hostname and a domain name, a temporary self-signed
certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new
temporary new self-signed certificate is assigned.
If the switch has been configured with a host and domain name, a persistent self-signed certificate
is generated. This certificate remains active if you reboot the switch or if you disable the secure
HTTP server so that it will be there the next time you re-enable a secure HTTP connection.
Chapter 9
Configuring Switch-Based Authentication
OL-13018-01